Splunk Search

How to add a table column that does operations in each cell based on the values from another column?

Motivator

if I have a search that gives me something like this:

``````a b c
1 2 3
4 5 6
7 8 9
``````

how do I add a column d that would do an operation (row2columnC - row1columnC, row3columnC - row2columnC ... all the way down ) in each cell in column d(jsut want to show the value in column d)

``````a b c d
1 2 3 3-0=3
4 5 6 6-3=3
7 8 9 9-6=3
``````

I am thinking it would be `...| eval = ??` or something like this...

Tags (4)
1 Solution
SplunkTrust

Try this

``````your search |delta c as difference p=1|fillnull value=0 difference
``````
Motivator

don't using eval

use the command `delta`who working like that:

``````For each event where field is a number, the `delta command` computes the difference, in search order, between the field value for the event and the field value for the previous event
``````

next try this

``````your search |delta c as d
``````
SplunkTrust

Try something like this

``````your current search giving fields a,b,c | delta c as d | eval d=coalesce(d,c)
``````
Motivator

what does `eval d=coalesce(d,c)` do here? I can't seem to see the difference. Or do i need a null value to see it working?

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

SplunkTrust

Try this

``````your search |delta c as difference p=1|fillnull value=0 difference
``````
Motivator

all good answers here is a working example:
`| makeresults count=3 | streamstats count as a | eval a=a+1 | streamstats count as b | eval b=b+10 | streamstats count as c | eval c=c+11 | delta a as a_dif p=1`